Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> You're effectively talking about an attacker breaking https aren't you?

No. There are many ways to fish bearer tokens. Encryption in transit only addresses some of them.



I'm all ears, please provide one potential way.


> I'm all ears, please provide one potential way.

Just Google for session hijacking attacks. There's a wealth of information on the topic. It's a regular entry in OWASP top 10.


I did, and xss and session sniffing listed on the OWASP web page, would be prevented by following OAuth flows. So that just leaves mitm, which as I said, is effectively breaking https.


> I did, and xss and session sniffing listed on the OWASP web page, would be prevented by following OAuth flows.

OWASP's page lists 3 more examples which it seems you omitted for some reason.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: